Deploying Always On VPN with Autopilot is indeed supported and works quite well. The only requirement is that you must deploy certificates with Intune (root and subordinate CA certificates and the user authentication certificate). For native Entra ID joined devices, you simply deploy the Always On VPN user profile as you would normally. For hybrid Entra ID joined devices, you must also deploy a device certificate along with the device tunnel profile. If using hybrid Entra ID join (not recommended), I suggest deploying your devices with Enterprise Edition. If you must use Professional edition there's additional configuration required. Details here.
https://directaccess.richardhicks.com/2021/04/19/always-on-vpn-and-autopilot-hybrid-azure-ad-join/
Enjoy!